On 22/03/16 19:14, Andrew Gallagher wrote: > All this is true. But this does not help *me* one iota.
It sounds to me like you're not looking for the Web of Trust, which is indeed very limited in its options. Instead, you are probably looking for something more like TOFU, in the sense that this developer whose signature you see is the same one whose signature you saw last time. Or maybe a radically different other trust model. Quite likely one which hasn't actually been implemented. It's still the same though: the OP talked about the Web of Trust, so my answer was about the Web of Trust. That the Web of Trust is not what you are looking for is a completely different issue. > Even importing the entire Debian keyring and setting them all to marginal > trust (I'm already trusting them to write my OS, so why not?) Exactly! Well observed. I've said it before as well, a nefarious person holding the private key of a Debian Developer can do much more interesting stuff than introduce false signatures in the Web of Trust, so you might as well trust them on that too. That is, as always, depending on your threat model. But I'd wager that it's compatible with a lot of threat models, since Debian developers can pretty much execute code as root on your machine. HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at <http://digitalbrains.com/2012/openpgp-key-peter> _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
